Forum Discussion

thatsecurityguy's avatar
thatsecurityguy
Copper Contributor
Oct 24, 2023
Solved

API Permissions (UnifiedPolicy.Tenant.Read)

Hello,   I'm attempting to setup an app registration with one of the API permissions being "UnifiedPolicy.Tenant.Read" and I've been unsuccessful in locating the permission.    Microsoft's docume...
  • LeonPavesic's avatar
    LeonPavesic
    Oct 25, 2023

    Hi thatsecurityguy,

    The API permission for the Microsoft Information Protection SDK that you need to read unified labeling policies for the tenant is UnifiedPolicy.Tenant.Read.

    This permission is listed in the Microsoft Entra app permissions blade under the MIP Sync Service. However, it is not currently available in the Azure AD admin portal.

    Required API permissions - Microsoft Information Protection SDK | Microsoft Learn

    To grant this permission to your app registration, you can use the Azure AD Graph API.
    You can use this PowerShell Script as a strating point (example):

     

    # Set the variables
$appId = "<your-app-registration-id>"
$tenantId = "<your-tenant-id>"
$accessToken = "<your-graph-api-access-token>"

# Create the JSON body for the request
$body = @{
    "id" = "$appId"
    "addPermissions" = @{
        "value" = @{
            "apiId" = "27453c88-c861-411c-8041-00f0a2486951"
            "type" = "Application"
            "value" = "UnifiedPolicy.Tenant.Read"
        }
    }
}

# Make the request to the Graph API
$response = Invoke-WebRequest -Uri "https://graph.windows.net/$tenantId/applications/$appId" -Method Patch -Headers @{Authorization = "Bearer $accessToken"} -Body $body

# Check the response status code
if ($response.StatusCode -eq 200) {
    Write-Host "The UnifiedPolicy.Tenant.Read permission was successfully granted to your app registration."
} else {
    Write-Host "An error occurred while granting the UnifiedPolicy.Tenant.Read permission to your app registration." -ForegroundColor Red
}

     

     

    Once you have granted the UnifiedPolicy.Tenant.Read permission to your app registration, you will be able to use it to read all of the unified labeling policies in your tenant.

    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

thatsecurityguy's avatar
thatsecurityguy
Copper Contributor
Oct 31, 2023

Hello LeonPavesic,

While attempting to configure the above, I was able to find the Service and the permission under it in happenstance.

 

The Service IS available in the admin portal but it's in a less than ideal location (personal opinion)
When adding a permission and searching under Microsoft APIs you won't be able to find the 'Microsoft Information Protection sync Service' but if you search under the APIs my organization uses' then search for 'Microsoft Information Protection Sync Service', you should be able to find it there with the UnifiedPolicy.Tenant.Read permission.

 

If only there was a search bar at the top where you could search for any/all API permissions regardless of the service that would list the API's and the services they're under when searched...

nrvonogd's avatar
nrvonogd
Copper Contributor
Sep 25, 2025

https://learn.microsoft.com/en-us/information-protection/develop/setup-configure-mip it's mentioned in this doc fwiw.

Resources